Communicating a Cyberattack to Organizations

According to the National Institute of Standards and Technology (NIST), a cyber-attack targets “an enterprise’s use of cyberspace for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment/infrastructure; or destroying the integrity of the data or stealing controlled information.” Today, almost every piece of information can be digitized. While digitization of banking services has important benefits for both credit unions and their members, the resulting proliferation of digital data and systems provides hackers with no shortage of potential targets to damage and exploit. For credit unions and other financial institutions that handle individual consumer finances, this threat can cause major stressors around the safety and privacy of members.

In the unfortunate event that a breach does occur, here are some effective ways to proactively communicate a cyberattack.

How to communicate

If an organization does find itself amid a cyberattack, NIST created a Computer Security Incident Handling Guide1 designed to help organizations communicate the incident professionally and efficiently. Some key insights from the report include:

  • Have an organizational plan in place

To efficiently deal with a cyberattack, organizations need to have a formal, focused, and coordinated approach in response to the incident. This response plan will provide the roadmap for employees, creating stability rather than panic if the incident were to happen again. Organizations should have a plan that aligns with its mission, size, structure, and functions.

  • Simplify internal and external outreach procedures

When communicating both internally and externally in a time of crisis, it can become chaotic with different modes of information flooding in all at once. In preparation for communicating a cyberattack, organizations should establish media communications procedures that comply with its internal culture, as well as its policies on media interaction and information disclosure. According to the guide, for discussing incidents both internally and externally, organizations find it beneficial to designate one person of contact (POC) and one backup contact to avoid information overload.


NAFCU has long advocated for legislation and regulations that will help credit unions prevent and remain educated on cyberattacks. The association has developed a white paper, “NAFCU’s Principles for a Federal Data Privacy Standard,” that outlines six data privacy principles for legislators to take note of as all aspects of organizations find themselves operating in an increasingly digital world. These principles emphasize the need for a comprehensive federal data privacy standard that protects consumers, harmonizes existing federal data privacy laws, and preempts state privacy laws.

The association has written to legislators emphasizing these principles as tools to ensure credit unions and their members feel secure with their data. NAFCU remains committed to helping credit unions stay informed of data privacy initiatives in Congress and will continue to fight for consumer privacy as more information continues to be digitized.

NAFCU has a complimentary, member-only online community exclusively for those responsible for cybersecurity & IT at NAFCU member credit unions. Learn more about the NAFCU Cybersecurity and IT Network at

  1. Paul Cichonski, Tom Millar, Tim Grance, and Karen Scarfone. “Computer Security Incident Handling Guide” (August 2012). National Institute of Standards and Technology Special Publication No. 800-61., accessed January 202